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Who am I? 



Independent Operating System 
Developer 

Professional Software Engineer 
and Malware Analyst 



Living in Wiener Neudorf, a 
suburb of Vienna (Austria) 



Introduction 



About 



Bootkit = Root kit + Boot Capability 
Introduced by Vipin and Nitin Kumar 

Stoned is a new bootkit targeting 
Windows operating systems 



Windows 2000 

Windows XP 

Windows Server 2003 

Windows Vista 
Windows Server 2008 

Windows 7 RC 



C'J 



TrueCrypt 



Main targets: 

- Pwning all Windows versions 
from the boot 

- Being able to bypass code 
integrity verifications & 
signed code checks 



www.stoned-vienna.com 



Architecture 
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C: . 



autoexec.bat 

config.sys 

ctapi_out_gr.txt 

ntuser.dat 



-Stoned 



Appli cations 
Plugins 



Master Boot Record 



File System 



„A memory resident bootkit up to the Windows kernel* 



+ Boot applications executed on startup 

+ Drivers executed beside the Windows kernel 



Stoned Virus 



Your PC is now Stoned! 
Your PC is now Stoned! 



(1987) 
(2010) 



Stoned is the name of a boot sector computer virus created in 1987, 
apparently in New Zealand. It was one of the very first viruses, and 
was, along with its many variants, very common and widespread in 

the early 1990s. 



http://en.wikipedia.org/wiki/Stoned (computer virus) 

Stoned was an OS independent boot 
sector infector. 

- Probably the first bootkit? 

- 416 bytes of size, small & effective! 



Windows Boot Process 



BIOS 




Master Boot Record 




Partition Bootloader 







ntldr / bootmgr 








NT kernel 



OS Loader 



winload.exe — ► 



Ntldr = 16-bit stub + os Loader (just binary appended) 

Windows Vista splits up ntldr into bootmgr, winload.exe and winresume.exe 



Windows XP 


Windows Vista 


Processor Environment 


ntldr 


bootmgr 


Real Mode 


OS Loader 


OS Loader 


Protected Mode 


- 


winload.exe 


Protected Mode 


NT kernel 


NT kernel 


Protected Mode + Paging 



Insecuring Windows 



Pwning Windows from the boot 



Bootkit Real Mode 


Relocates the code to the end of 
memory (4 KB), hooks interrupt 
13h and patches code integrity 
verification 


Bootkit Protected 
Mode 


Patches image verification and 
hooks NT kernel 


Kernel Code 


NT kernel base address and 
PsLoadedModuleList are used for 
resolving own imports 


Driver Code 


Loads, relocates, resolves, 
executes all drivers in the list 


PE Loader 


PE-image relocation & resolving 


Subsystem 


Core functions for the Stoned 
Subsystem installed in Windows 


Payload 


Kernel drivers 

Applications using the subsystem 



Stoned MBR 



_L 



Interrupt 13h 
handler 



Windows boot 

file loading 

routine 



J_ 



Windows init 
system 



Payload 



TrueCrypt Attack 



There are two possible scenarios: 

1. Only the system partition is encrypted 

2. Full hard disk is encrypted 

However, the master boor record always stays unencrypted. 



Windows I/O 
Request 






Hook! Call 
(unencrypted request) 

(encrypted request) 
jmp 0000h:BACKh 






TrueCrypt 
Encryption 




























BIOS Disk 
Services 













A double forward for intercepting the encrypted and decrypted disk I/O. 



Previous Bootkits 



2006 



2008 



2010 



Stoned 



BootRoot 



Mebroot 
BOOT KIT TPMkit 

Vbootkit 



Stoned Bootkit 



Vbootkit 2.0 



1987 



2005 



2007 



2009 



Previous research bootkits at conferences: 



BootRoot 


Windows XP 


Black Hat USA 2005 


Vbootkit 


Windows Vista 


Black Hat Europe 2007 


Vbootkit 2.0 


Windows 7 (x64) 


Hack In The Box Dubai 2009 



Stoned Architecture 



Master Boot Record 



Master Boot Record = first 63 sectors of hard 
disks; contains Partition Table and Bootloader 



Modularized Stoned MBR contains: 



Address 


Size 


Description 


0000 


440 


Code Area (Bootloader) 


Bootloader.sys 


01B8 


6 


Microsoft Disk Siqnature 


01BE 


4*16 


IBM Partition Table 


01FE 


2 


Siqnature, 0AA55h 


0200 


2 KB 


System Loader 


System Loader.sys 


0A00 


1 KB 


Textmode User Interface 


Textmode TUI.sys 


0E00 


8 KB 


Disk System 


Disk System. sys 


2E00 


2 KB 


Load Application Programming 
Interface for Real Mode 


API [RMJ.sys 


3600 


512 


Rescue Module 


Rescue Module. sys 


3800 


8 KB 


Free space (former User 
Interface and Hibernation File 
Attack) 


[Embedded Boot Application] 


5800 


1.5 KB 


Crypto Module 


Crypto Module. sys 


5E00 


1 KB 


Boot Module 


Boot Module. sys 


6200 


4 KB 


Pwn Windows 


Windows. sys 


7200 


2 KB 


Free Space 


Sector 61 


512 


Original Bootloader Backup 


Sector 62 


512 


Configuration Area / TrueCrypt volume-header information 



Stoned Modules 



Management Modules: 



Bootloader 


System Loader 


Plugin Manager 



API providing modules: 



API [RM] 


Boot Module 


Crypto Module 


Disk System 


Locking Module 


Rescue Module 


Textmode UI 


User Interface 



Boot applications use the API provided by the modules. 

They are independent from each other (this is also why the 
Windows pwning module can be injected into TrueCrypt's 
MBR). 



Windows XP Boot 



BIOS 




Microsoft's Master 
Boot Record 




IMTFS Partition 
Bootloader 





— ► ntldr (uses ntdetect.com) 



NT kernel 



Ntldr contains a 16-bit stub and a 32 bit PE Image (= OS Loader) 
This concept has not been changed in Windows until Windows Vista 



Hooking & Patching (simplified): 

- Interrupt 13h hooked 

- Ntldr hooked for calling 32-bit code and patching 
the code integrity verification 

- Patching the NT kernel 

- Executing payloads (driver) 



Windows Vista Boot 



BIOS 




Microsoft's Master 
Boot Record 




NTFS Partition 
Bootloader 





bootmgr 

(also allows to 

execute ntldr for 

multi-boot systems) 








NT kernel 

HAL 

Boot drivers 


— 


winload.exe 


— 












— 


winresume.exe 


— 


hiberfil.sys 



Hooking & Patching (simplified): 

- Interrupt 13h hooked 

- Bootmgr hooked to call 32-bit code 

- Patching winload.exe code integrity verifications 

- Patching the NT kernel 



Boot Media 



■ Currently only IBM-conform legacy 
boot supported 

■ In future EFI (Extensible Firmware 
Interface) support 

All common drives supported: 

Floppy, CD, DVD, Blu-ray, USB flash 
drives, removable media, hard drives, 
network boot 

^ Media independent. 



Plugins 



About Plugins 



Extending the core functionality by 
static bootkit attacks 



User Interface 


C0 2 -Plugin 


PE Infector 


File Parsers 


Hibernation File 
Attack 


Pagefile 
Injector 


Music Melody! 


Boot Password 
Crack 


AntiWPA 


Persistent BIOS 
Infector 


...and much more under development 



May be out sourced to the file system. 
User data stored in CMOS memory? 



Hibernation File Attack 



Predecessor of Stoned 

Static attack of bootkit 

Structures were revealed with BH USA 2008 
^Windows Hibernation File for Fun and Profit 7 




Save The Environment! 

■ Example Plugin 

- Throttling CPU speed down to 80% 

■ Normal user should not take any 
notice but our earth does :) 

■ Using the Advanced Configuration 
Programming Interface 



Boot Applications 



Example: Sinowal Extractor 



Using Stoned Bootkit to execute Sinowal and 
then extract the unpacked kernel driver 

■ Tracing the memory by hooking the exports 

for ExAllocatePool () and ExFreePool () using 

the installed Stoned Subsystem 

-► Writing it out to disk for further analysis 



New Anti-Malware technology? 



0007f720h: 50 

0007f730h: 42 

0007f740h: 55 

0007f750h: 44 

0007f760h: 41 

0007f770h: 41 

0007f780h: 53 

0007f790h: 54 

0007f7a0h: 0D 
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PLUG. . . .INFO. . . 
BIP./. . .NOOP. . . 
DUST .... INST . . . 
Dec. Nov. Oct. Sep 
Aug . Jul . Jun . May 
Apr . Mar . Feb . Jan 
Sat.Fri.Thu.Wed 
Tue . Mon . Sun .... 
. .%3: . .%x. .chuT, 



(Unpacked Sinowal kernel driver, here you see commands & 
domain name generation strings) 



Bootkit Installation 



Installation Guide 



1. Backup original MBR 

2. Overwrite Master Boot Record 

3. Extract Files 

Problem: Raw sector access is required 



Windows XP 
Windows Vista 



Administrator rights 
Elevated Administrator rights 



But every problem has its solution... 



Raw Sector Access 



Solution 1: 

75% of the users have full admin privileges 



However, outside the enterprise and the Parental Controls case, most 
machines (75%) have a single account with full admin privileges. 



According to Ben Fathi, Windows 7 User Account Control Engineer 

■ Solution 2: 

Ask the system for elevated rights at runtime using 
sheiiExecute () or request it via a manifest 

If the user clicks "no" terrorize the user and ask again, 
e.g. start the elevated process until the user clicks "yes" 



Elevated Administrator Rights 



Method 1: Application Manifest 



<requestedPrivileges> 

<requestedExecutionLevel level="asInvoker" uiAccess="true"/> 
</requestedPrivileges> 



Application manifest (can be embedded into the application as resource) 



/MANIFESTUAC : "level=asInvoker" 



Visual Studio linker option to generate and include such a manifest 



Method 2: ShellExecuteQ at runtime 



HINSTANCE ShellExecute ( 
HWND hwnd, 

LPCTSTR lpOperation = "runas", 
(...) 

); 



MBR is still writable 



CreateFile("\\ . \PhysicalDriveO", ...) 

Direct driver usage, IOCTLs 

Also works with Windows Vista and Server 
2008: 



A file system can write to a volume handle only if the following conditions are true: 

Condition 1: The sectors that are being written to are boot sectors. 

Condition 2: The sectors that are being written to reside outside the file system space. 



According to the Microsoft Knowledgebase article #92448 "Changes to 
the file system and to the storage stack to restrict direct disk access and 
direct volume access in Windows Vista and in Windows Server 2008" 



63 Sectors (31,5 KB size, sectors 0-62) 



Administrator: C:\Wirdows\sYstem32\cmci.exe 



licrosoft Windows [Uersion 6.0.6001] 
Copyright <c> 2006 Microsoft Corporation. AIL 

:\Users\Peter Kleissner>uhoami 
;eattle\peter kleissner 



Time for a live 
demonstration! 



General 
Considerations 



We Bypass 



- Kernel Patch Protection 

Only for 64 bit and running systems 

- Digital Signatures 

We can inject unsigned code, no signed 
code check will be performed 

- Code integrity checks 

We do not patch executables on disk, 
therefore no integrity check will fail 

- Data Execution Prevention 



PoC Payload 



Same as in Vbootkit (BHE 2007) 

Thanks to my friends Vipin & Nitin Kumar! 

Console Privilege Escalation 

-Changing privilege of every cmd.exe 
process to the same as services.exe 

- Written as normal driver for Stoned 
Displaying signature at startup 



Your PC is now Stoned! 



again 



Developing with Stoned 



1. Download the framework 

2. Write your own driver 

3. Modify the infector, or just: 

Use the installed Stoned Subsystem in 
Windows by your application 

syscall, int 2Eh with 
function numbers = 3000h-3FFFh 



-* New open development platform 



Secure the pre-boot Environment 



Advice to OS vendors and HW architects: 

Take use of the Trusted Platform Module 
and full volume encryption. 

Full volume encryption software should: 

1. Secure its own software 

2. Disable MBR overwrite in Windows 

3. Make MBR genuine verifications 

Do not try to fix software issues with security policies. 



Future versions? 



- Linux support (OS independency) 

■ 64-bit Windows support 

■ Defeating Trusted Platform Module 

■ Anti Windows Protection Activation 
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Thanks. 



Questions? 
Comments? 



.for your attention! 



Peter Kleissner at 
Black Hat USA 2009 



Thank You! 



